Recently I had a need to check a network consisting of a few hundred systems in order to identify systems that had certain USB devices attached. There was not a need to check for "deleted" registry keys or unallocated space in the registry database. I needed to collect the standard USB keys, and compare them to a list of "Friendly Names" and "Serial Numbers" provided to me.
Standard keys I collected:
\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR
\HKLM\SYSTEM\ControlSet001\Enum\USB
\HKLM\SYSTEM\MountedDevices
\HKLM\SYSTEM\ControlSet001\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Additionally, I wanted to collect the times stamps for each respective registry entry. The challenge was to do this quickly without having to traverse a building to each office and collect them direct with a standard forensic tool.
My solution, Log Parser. That is right Log Parser(r), a free tool from Microsoft that will parse the File System, Registry, and whole lot more.
Log Parser allows for variables in scripts. I created a script for each registry key I wanted to retrieve, and added a variable so I could enter the Host name for each.
First, I told Log Parser what I wanted values I wanted to retrieve from each registry key with a SELECT statement (Note I chose select 2000 for these scripts, you can change that number to as much or as little as you see fit, in this the top 2000 entries are retrieved):
SSELECT TOP 2000
ComputerName,
Path,
KeyName,
Valuename,
ValueType,
Value,
LastWriteTime
Then I indicated the output with the INTO statement and utilized an asterisk (*) to allow it to append the variable name to each file name
INTO *-USBSTOR.csv
Finally the FROM statement tells Log Parser what key to retrieve, and the variable %NAME% allows for entry of a Hostname at the command prompt.
FROM \%NAME%\HKLM\SYSTEM\ControlSet001\Enum\USBSTOR
You can download the easy to use scripts HERE.
Unzip the package into a directory.
Drop down to a command prompt and type:
logparser file:_DeviceClasses.sql?name=HostA logparser file:_MountedDevice.sql?name=HostA logparser file:_USBSTOR.sql?name=HostA logparser file:_USB.sql?name=HostA
Continue to do this for each Host, and it will return and individual CSV for each script separated by Host Name as outlined below:
HostA.network.local-DeviceClass.csv HostA.network.local-MountedDevices.csv HostA.network.local-USBSTOR.csv HostA.network.local-USB.csv
I have many Log Parser scripts made for Forensics and the instructions on how to use them available on my website.
Respectfully, Dave Kleiman - https://computerforensicsllc.com - sans@davekleiman.com
